Join Log in
Score:0
Julian Rios avatar Server

Nginx Revers Proxy Overwrite Certificate

cn flag
Julian Rios

I have a problem trying to overwrite a certificate using NGINX as a Reverse Proxy forwarding all request to an Apache Server with and old certificate (TLS 1.0)

This is the output for my .conf file:

server {
listen        80;
server_name   provision.metrotel.com.ar;
return 301 https://provision.metrotel.com.ar$request_uri;
}

server {
listen 443 ssl http2;
server_name provision.metrotel.com.ar;
ssl_certificate /etc/nginx/certs/metrotel.crt;
ssl_certificate_key /etc/nginx/certs/metrotel.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error_prov.log;
location / {
proxy_pass http://prov.metrotel.com.ar/;
proxy_ssl_certificate           /etc/nginx/certs/metrotel.crt;
proxy_ssl_certificate_key       /etc/nginx/certs/metrotel.key;

}
}

http://prov.metrotel.com.ar/ is the server where the website is located, and it has and old certificate. Is there a way to overwrite that cert, using the one I have in my nginx reverse proxy.

I´ve tried several options what I alway get the "NET::ERR_SSL_OBSOLETE_VERSION"

Client Chrome on (172.20.1.4)

Proxy (Nginx on srv-nginx-a.metrotel.local -192.168.151.112)

Backend (prov.metrotel.com.ar) 192.168.59.20

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

11:50:59.260014 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [S], seq 979144705, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0

11:50:59.260165 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [S.], seq 3107298579, ack 979144706, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

11:50:59.260397 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1, win 1825, length 0

11:50:59.282128 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1:536, ack 1, win 1825, length 535

11:50:59.282204 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 536, win 237, length 0

11:50:59.282659 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1:153, ack 536, win 237, length 152

11:50:59.282869 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 153, win 1892, length 0

11:50:59.293101 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 536:587, ack 153, win 1892, length 51

11:50:59.332644 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 587, win 237, length 0

11:50:59.332935 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 587:1300, ack 153, win 1892, length 713

11:50:59.332967 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 1300, win 248, length 0

11:50:59.333185 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [S], seq 1924765737, win 29200, options [mss 1460,sackOK,TS val 
180831520 ecr 0,nop,wscale 7], length 0

11:50:59.333584 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [S.], seq 4244116336, ack 1924765738, win 5792, options [mss 1460,sackOK,TS val 3558238853 ecr 180831520,nop,wscale 7], length 0

11:50:59.333605 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831521 ecr 3558238853], length 0

11:50:59.333639 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831521 ecr 3558238853], length 756: HTTP: GET / HTTP/1.0

11:50:59.333915 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0

11:50:59.334144 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 519: HTTP: HTTP/1.1 302 Found

11:50:59.334157 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831521 ecr 3558238854], length 0

11:50:59.334169 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0

11:50:59.334236 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831521 ecr 3558238854], length 0

11:50:59.334272 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 153:1048, ack 1300, win 248, length 895

11:50:59.334438 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: 
Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0

11:50:59.373720 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1048, win 2004, length 0

11:50:59.407267 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1300:2013, ack 1048, win 2004, length 713

11:50:59.407531 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [S], seq 3919551832, win 29200, options [mss 1460,sackOK,TS val 180831594 ecr 0,nop,wscale 7], length 0

11:50:59.407867 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [S.], seq 2604868674, ack 3919551833, win 5792, options [mss 1460,sackOK,TS val 3558238928 ecr 180831594,nop,wscale 7], length 0

11:50:59.407897 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831595 ecr 3558238928], length 0

11:50:59.407950 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS
val 180831595 ecr 3558238928], length 756: HTTP: GET / HTTP/1.0

11:50:59.408211 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0

11:50:59.408605 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 519: HTTP: HTTP/1.1 302 Found

11:50:59.408627 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831596 ecr 3558238928], length 0

11:50:59.408642 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0

11:50:59.408711 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS
val 180831596 ecr 3558238928], length 0

11:50:59.408748 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1048:1943, ack 2013, win 259, length 895

11:50:59.408974 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238929 ecr 180831596], length 0

11:50:59.408994 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1943, win 2116, length 0
89
2 + 7
ssl
Steffen Ullrich avatar
se flag
Steffen Ullrich
It is unclear for me what you are really doing and there is nothing reproducible here (domains don't resolve in DNS). Where exactly you get this error, what URL you are trying to access exactly, with which tool? Also TLS 1.0 is not an old certificate, but an old TLS protocol version. And in your config you don't even access the internal site by HTTPS, just `http://...` .
0
Reply
Julian Rios avatar
cn flag
Julian Rios
Steffen, those domains are local domains, they are not accesible from Internet. What I want to do is using a nginx as a proxy to type provision.metrotel.com.ar in my browser, and when nginx reads that URL, it will send it to prov.metrotel.com.ar. My bad on pointing TLS 1.0 as an old certificate, it´s an old protocol, you´re right. I got that error in prov.metrotel.com.ar (the hosting server) Ig I change the proxy_pass to https://prov.metrotel.com.ar/ I get the same NET::ERR_SSL_OBSOLETE_VERSION. My question is if there is a way to "overwrite" TLS 1.0 with TLS 1.2 with the proxy
0
Reply
Steffen Ullrich avatar
se flag
Steffen Ullrich
*"If I change the proxy_pass to prov.metrotel.com.ar I get the same NET::ERR_SSL_OBSOLETE_VERSION."* - again, it is not clear where you get this error (client, nginx log ...) and URL and client your are using exactly for testing. The URL used by the client must of course be the one served by nginx (`provision...`), not the original one served by Apache (`prov...`).
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
It's not really 'overwriting'. With any proxy, including nginx, there are two different TLS-formerly-SSL connections, one from client (browser etc) to proxy, one from proxy to backend server. These two connections and their properties are completely separate, although the HTTP-level data received on one is forwarded to the other. Can you get a capture with wireshark or similar, preferably on or as near as possible to the proxy (nginx) machine?
0
Reply
Julian Rios avatar
cn flag
Julian Rios
Hi guys, thanks por your help. Tomorrow I´ll take a debug and post it here. Using TLS 1.2 and TLS 1.3 in the listen 443 ssl, keeps showing the NET::ERR_SSL_OBSOLETE_VERSION. The message that is shown in the browser is sent from the backend Server (prov.metrotel.com.at). It´s the same error in Chrome, Firefox and Opera. I use provision.metrotel.com.ar as the URL in the client, so the redirect is working OK, but I can´t dump the TLS v1.0 and "upgrade" it to TLS v1.2 1.- Client to Proxy is TLS v1.2 2.- Proxy to Backend is TLS v1.0 3.- Client to Backend finally is TLS v1.0 :(
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
According to tcpdump nginx is receiving (in clear) two 302 redirects, although it doesn't show the URLs. **Possibly the redirect causes the client to go directly to the backend rather than the proxy?** If you have (or can get) curl, try `curl -vL https://proxy/desired_URL` to see where/how it is redirecting, or in Chrome enable dev-tools (F12) and select network tab. Or use wireshark (as I first suggested) to see the complete decode; if you can't install it, use `tcpdump -w` to capture to a file and move that file to someplace you can use wireshark.
0
Reply
dave_thompson_085 avatar
jp flag
dave_thompson_085
Added: with `curl -vL` you might also redirect the data output to a file, possibly `/dev/null` (or Windows `NUL:`), to make it easy to focus on the headers.
0
Reply
Score:1
avatar Server
uz flag
longneck

Try turning on TLS1.2 and 1.3 by adding ssl_protocols TLSv1.2 TLSv1.3; to your server section, like this:

server {
    listen        80;
    server_name   provision.metrotel.com.ar;
    return 301 https://provision.metrotel.com.ar$request_uri;
    ssl_protocols TLSv1.2 TLSv1.3;
}
0 + 1
dave_thompson_085 avatar
jp flag
dave_thompson_085
In an http (listen 80) `server` that's not going to do anything. It would only have an effect in the https (listen 443) `server`, but the default should already include up to 1.2 which should make Chrome happy.
0
Reply
Score:0
Julian Rios avatar Server
cn flag
Julian Rios

On wireshark pcap Connection between Client (Chrome) and Proxy (Nginx) is TLS 1.2. The other part (Nginx-Apache old TLS) is only HTTP. Proxy is working OK, theres "no" connection between Client and Server, proxy is always in the middle.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.